Coverity Finds and Fixes Critical Defects in Open-Source Projects

By Darryl K. Taft |
Posted 2013-09-19

Coverity, a provider of application development testing, Sept. 19 announced that its software enables an open-source tool known as ANother Tool for Language Recognition, or ANTLR, to find and fix open-source software defects.

Coverity released the results of its latest Coverity Scan Project Spotlight, which analyzed the ANTLR Java project, including defect density as compared with the industry average defect density for good quality software and types of defects identified. The scan found a series of previously undiscovered defects.

ANTLR is a Java-based parser generator for reading, processing, executing and translating structured text or binary files. The software, which is used to build languages, tools and frameworks, is downloaded more than 5,000 times per month and is used by several major companies, including Apple, Oracle, Salesforce.com and Twitter.

Although the ANTLR project only started using the Scan service in late August 2013, it has already leveraged Coverity's development testing technology to find and fix 20 previously undiscovered high- and medium-risk defects, including a resource leak and copy-paste error that could have caused a significant software crash in production, Coverity officials said.

Coverity expanded its free Coverity Scan service to include Java projects in May 2013, to help drive higher levels of software quality and security within the open-source community. The Scan service uses Java analysis algorithms in the Coverity Development Testing Platform to find critical defects such as resource leaks and concurrency issues. The service also uses a highly tuned version of the FindBugs static analysis tool, which is integrated into the Coverity platform, to identify coding standard and style issues. Since August 2013, the Coverity Scan service has analyzed 43,000 lines of ANTLR code and identified 171 defects.

"ANTLR is one of a growing number of Java open source projects that have joined the Scan service to help enhance code quality," said Jennifer Johnson, chief marketing officer for Coverity, in a statement. "The ANTLR team has done an excellent job of addressing key defects in their code in the short time that they have been participating in the service, and we look forward to continuing to work with them to ensure that their Java code is of the highest quality, as well as to further expanding our engagement with the Java community."

Coverity introduced its monthly Coverity Scan Project Spotlights due to high demand for the annual Coverity Scan Report and the insight it provides into the state of open-source software quality. The Coverity Scan Report has become something of a standard for measuring the state of open-source software quality. The 2012 Scan Report found an average defect density of .69 for open-source software projects that leverage the Coverity Scan service, as compared with the accepted industry standard defect density for good quality software of 1.0.

At the end of August, the Coverity Scan service analyzed the Python open-source project. The scan found that Python's defect density of .5 significantly surpasses the accepted industry standard defect density for good quality software and introduces a new level of quality for open-source software.

As of late August, the Coverity Scan service had analyzed nearly 400,000 lines of Python code and identified 996 new defects—860 of which have been fixed by the Python community.

"Python is the model citizen of good code quality practices, and we applaud their contributors and maintainers for their commitment to quality," Johnson said in a statement. "Python's decision to join the Coverity Scan service and leverage our industry-leading development testing platform has raised the bar for open source software. This Scan Spotlight—and Python's impressive level of software quality—should be a call to action for any C/C++ or Java open source project not yet reaping the benefits of the Coverity Scan service."